New security hole found in QuickTime and Mac OS-X

A new security flaw that was discovered last week and that breached a MacBook in a Hack-a-Mac
competition was attributed to Apple's QuickTime media player. Internet security worker Dai Zovi said
the security vulnerability is directly related to the method QuickTime handles Java scripts. Zovi added
that a potential hacker can exploit the security hole through Safari or Firefox. Some of the reports
that first came in had indicated that the flaw was initially located in Safari, Apple's Internet browser.

Furthermore, Zovi said "it's a vulnerability within QuickTime. Safari and Firefox on Mac OS-X are also
vulnerable. QuickTime is also widely used on Windows machines, so Windows users may also be at risk. At
this time, Firefox on Windows is potentially considered at risk."

Internet security monitoring company Secunia identified the hole as "highly critical," one notch
below its most serious rating. "This can be exploited to execute arbitrary code when a user visits a
malicious Web site," Secunia said.

Apple's most recent QuickTime security update was last month.

Shane Macaulay, a software engineer and friend of Dai Zovi, hacked into a MacBook using the QuickTime
security hole on April 20. The computer was one of two offered as a prize in the "PWN to Own - Hack-a-Mac"
contest at the CanSecWest conference in Vancouver, B.C.

The successful Internet attack on the second and final day of the contest required a conference
organizer to surf to a malicious website using Safari on the MacBook, a type of attack more familiar to
Windows users than to Mac OS-X clients.

For its part, Apple declined to comment on the MacBook security vulnerability. However, last Friday, spokeswoman
Lynn Fox provided Apple's standard security comment by saying "Apple takes security very seriously and has
a great track record (!) of addressing potential vulnerabilities before they can affect users."

Further details on Apple's security hole are being kept confidential until the company successfully
patches it. Meanwhile, Dai Zovi has submitted the vulnerability to TippingPoint's Zero Day Initiative bug bounty
program.

TippingPoint, which sells intrusion prevention systems, had offered a $10,000 cash prize for a Mac
zero-day vulnerability to make the CanSecWest contest more appealing to potential hackers.

Dai Zovi added "TippingPoint has since offered to purchase the vulnerability and I have agreed.
Payment is in fact pending."

Zovi also commented that "disabling Java in a browser further shields a computer against attacks
that could exploit the security hole. By default, Mac computers are vulnerable since Apple automatically
ships QuickTime with its OS X operating system.

However, Windows PC users are only vulnerable if QuickTime is installed on their computers.